I'm struggling with setting up an OIDC Provider configuration that also leverages WebSEAL to handle the Authentication to the /authorize endpoint, and the application requesting the access token is protected by this same WebSEAL.

There is a legacy application that runs on standard junctions through a WebSEAL instance, but there are multiple domains that access that WebSEAL, mostly to control which instances in the cluster the user hits. We have eight instances, so there's an online.acme.com that runs against all 8, online-p.acme.com that runs against four, and online-b.acme.come that runs against the other four. We also want to be able to handle requests to each instance directly for testing purposes, so direct to the actual WebSEAL hostname like webseal1.acmeint.org, webseal2.acmeint.org, etc.  

The problem I'm hitting is that i want to be able to control where the entire flow goes through the DNS entries, however the OIDC provider can only be configured with a single issuer. I don't want to set up a dozen provider definitions (which isn't that big of a deal), but I really don't want to force the backend application to need to dynamically change which client ID its using based on the incoming hostname.

We can enable session domain cookies to handle at least the authentication across each domain, but I still need to be able to test the entire flow across just online-p, or direct to a single webseal instance without redirecting out to the singular issuer for the auth code flow.  Is there any way to achieve this without setting up providers for each individual hostname that the webseal instances may encounter?

I'm struggling with setting up an OIDC Provider configuration that also leverages WebSEAL to handle the Authentication to the /authorize endpoint, and the application requesting the access token is protected by this same WebSEAL.

There is a legacy application that runs on standard junctions through a WebSEAL instance, but there are multiple domains that access that WebSEAL, mostly to control which instances in the cluster the user hits. We have eight instances, so there's an online.acme.com that runs against all 8, online-p.acme.com that runs against four, and online-b.acme.come that runs against the other four. We also want to be able to handle requests to each instance directly for testing purposes, so direct to the actual WebSEAL hostname like webseal1.acmeint.org, webseal2.acmeint.org, etc.  

The problem I'm hitting is that i want to be able to control where the entire flow goes through the DNS entries, however the OIDC provider can only be configured with a single issuer. I don't want to set up a dozen provider definitions (which isn't that big of a deal), but I really don't want to force the backend application to need to dynamically change which client ID its using based on the incoming hostname.

We can enable session domain cookies to handle at least the authentication across each domain, but I still need to be able to test the entire flow across just online-p, or direct to a single webseal instance without redirecting out to the singular issuer for the auth code flow.  Is there any way to achieve this without setting up providers for each individual hostname that the webseal instances may encounter?

------------------------------
Brian Thompson
------------------------------

If you need to change the issuer for the access_token or id_token, you can update the pre-token JS and use the STS to create a customized access token with the issuer (ISS) you want. For example, you can read the HTTP header host and use it as the issuer.
This article may give you some ideas on how to change the issuer:
https://community.ibm.com/community/user/blogs/sumana-narasipur/2018/07/19/oauth-jwt-access-token

And you can customize the OIDC discovery response with the correct host by using a combination of Lua and a static page with macros.
Basically you need a static page in WebSEAL with a custom MACRO like %HOST% in the static HTML page.
The lua transformation will redirect the oidc discovery to this static page. You also can create a new HTTP header using lua and use it in this static page. The macro should be like this: %HTTPHDR{myiss}%


------------------------------
Rudy Santos

Original Message:
Sent: Mon September 15, 2025 03:39 PM
From: Brian Thompson
Subject: ISVA 10.0.7 - Dynamic OIDC Issuer

I'm struggling with setting up an OIDC Provider configuration that also leverages WebSEAL to handle the Authentication to the /authorize endpoint, and the application requesting the access token is protected by this same WebSEAL.

There is a legacy application that runs on standard junctions through a WebSEAL instance, but there are multiple domains that access that WebSEAL, mostly to control which instances in the cluster the user hits. We have eight instances, so there's an online.acme.com that runs against all 8, online-p.acme.com that runs against four, and online-b.acme.come that runs against the other four. We also want to be able to handle requests to each instance directly for testing purposes, so direct to the actual WebSEAL hostname like webseal1.acmeint.org, webseal2.acmeint.org, etc.  

The problem I'm hitting is that i want to be able to control where the entire flow goes through the DNS entries, however the OIDC provider can only be configured with a single issuer. I don't want to set up a dozen provider definitions (which isn't that big of a deal), but I really don't want to force the backend application to need to dynamically change which client ID its using based on the incoming hostname.

We can enable session domain cookies to handle at least the authentication across each domain, but I still need to be able to test the entire flow across just online-p, or direct to a single webseal instance without redirecting out to the singular issuer for the auth code flow.  Is there any way to achieve this without setting up providers for each individual hostname that the webseal instances may encounter?

------------------------------
Brian Thompson
------------------------------